VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 25 of 512
  • CVE-2024-7076CriSep 4, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows Blind SQL Injection. This issue affects Semtek Sempos: through 31072024.

  • CVE-2024-6919CriSep 2, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Blind SQL Injection. This issue affects NACPremium: through 01082024.

  • CVE-2024-7071CriAug 27, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in Brain Information Technologies Inc. Brain Low-Code allows SQL Injection. This issue affects Brain Low-Code: before 2.1.0.

  • CVE-2024-8161CriAug 26, 2024
    risk 0.64cvss 9.8epss 0.00

    SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information…

  • CVE-2024-33872CriAug 20, 2024
    risk 0.64cvss 9.8epss 0.00

    Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges.

  • CVE-2024-6699CriJul 30, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection. This issue affects Mikafon MA7: from v3.0 before v3.1.

  • CVE-2024-0857CriJul 18, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Universal Software Inc. FlexWater Corporate Water Management allows SQL Injection. This issue affects FlexWater Corporate Water Management: before 5.452.0.

  • CVE-2024-6457CriJul 16, 2024
    risk 0.64cvss 9.8epss 0.20

    The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of…

  • CVE-2024-27709CriJul 5, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component.

  • CVE-2024-4228CriJun 26, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL…

  • CVE-2024-36681CriJun 24, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in the module "Isotope" (pk_isotope) <=1.7.3 from Promokit.eu for PrestaShop allows attackers to obtain sensitive information and cause other impacts via `pk_isotope::saveData` and `pk_isotope::removeData` methods.

  • CVE-2024-34988CriJun 24, 2024
    risk 0.64cvss 9.8epss 0.00

    SQL injection vulnerability in the module "Complete for Create a Quote in Frontend + Backend Pro" (askforaquotemodul) <= 1.0.51 from Buy Addons for PrestaShop allows attackers to view sensitive information and cause other impacts via methods…

  • CVE-2024-34989CriJun 21, 2024
    risk 0.64cvss 9.8epss 0.00

    In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'

  • CVE-2024-6027CriJun 21, 2024
    risk 0.64cvss 9.8epss 0.01

    The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation…

  • CVE-2024-37699CriJun 20, 2024
    risk 0.64cvss 9.8epss 0.00

    An issue in DataLife Engine v.17.1 and before is vulnerable to SQL Injection in dboption.

  • CVE-2024-34994CriJun 19, 2024
    risk 0.64cvss 9.8epss 0.00

    In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`.

  • CVE-2024-4295CriJun 5, 2024
    risk 0.64cvss 9.8epss 0.10

    The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing…

  • CVE-2024-5311CriJun 3, 2024
    risk 0.64cvss 9.8epss 0.01

    DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.

  • CVE-2024-3200CriJun 1, 2024
    risk 0.64cvss 9.9epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

  • CVE-2024-1100CriMay 30, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vadi Corporate Information Systems DIGIKENT GIS allows SQL Injection. This issue affects DIGIKENT GIS: through 2.23.5.